Simplifying and Harmonizing Open Source for More Efficient Compliance

46

Using open source code comes with a responsibility to comply with the terms of that code’s license, which can sometimes be challenging for users and organizations to manage. The goal of ACT is to consolidate investment in and increase interoperability and usability of, open source compliance tooling, which helps organizations manage compliance obligations.

Four Parts of ACT:

  • FOSSology: An open source license compliance software system and toolkit allowing users to run license, copyright and export control scans from the command line
  • QMSTR: Also known as Quartermaster, this tool creates an integrated open source toolchain that implements industry best practices of license compliance management. QMSTR integrates into the build systems to learn about the software products, their sources, and dependencies.
  • SPDX Tools standing for Software Package Data Exchange (SPDX) is an open standard for communicating software bill of material information including components, licenses, copyrights, and security references.
  • Tern: Tern is an inspection tool to find the metadata of the packages installed in a container image. It provides a deeper understanding of a container’s bill of materials so better decisions can be made about container-based infrastructure, integration and deployment strategies.

“There are numerous open source compliance tooling projects, but the majority are unfunded and have limited scope to build out robust usability or advanced features,” commented Kate Stewart, Senior Director of Strategic Programs at The Linux Foundation. “We have also heard from many organizations that the tools that do exist do not meet their current needs.

Read more at InfoTech Spotlight